However, CIOs should have specific concerns about SaaS contract negotiations. Here I'll highlight two aspects of a SaaS contract I recently worked on and suggest some ways that you can avoid falling prey to poorly drafted vendor forms.
When the Contract Undercuts the Value of SaaS
We worked with a large SaaS vendor with a substantial presence in the marketplace. The vendor's Web site says that the vendor's application has "100% availability" and "24/7 and 365 availability and monitoring." Yet the company's form agreement didn't allow for either of these protections.
In revising the vendor form, we added provisions that provided these protections (which the vendor initially rejected). In a SaaS transaction, application availability and performance monitoring is crucial, so the SaaS contract should include service-level guarantees. Service-level stipulations should spell out minimum levels of acceptable performance, including response time, uptime, customer satisfaction, etc.
Additionally, your company should consider adding a termination right for any vendor performance lapses. Without minimum performance guarantees, the value of SaaS to your company is greatly diminished. The vendor we worked with finally agreed to certain service standards and performance credits related to availability. But it was unwilling to match the language of its Web site to that in the contract.
The vendor's Web site also states that "data security" is the company's "biggest priority," that its "data centers use state-of-the-art firewall technology" and make "data security a priority in all aspects" of operations." But the vendor's form contract made no mention of the vendor's data security procedures. Nor did it include any obligations with respect to the security of our client's data. Moreover, the vendor's form actually disclaimed any responsibility with respect to data loss.
While this is a common position for vendors to take, it is generally unacceptable in SaaS transactions due to the critical nature of the data involved.
Ground Rules for SaaS Contracts
In our transaction, we included several provisions with respect to data security, such as these: (1) a requirement that the vendor comply with our client's data security practices; (2) warranties with respect to data security, loss and alteration; (3) the client's right to perform audits and periodic security evaluations; (4) a disaster recovery and business continuity plan and the vendor's associated obligations, coupled with a properly drafted force majeure clause (see "Force Majeure Meets Disaster Recovery," September 2006 issue); (5) clear statements with respect to data ownership and return; (6) the vendor's obligation to perform frequent backups; and (7) vendor requirements regarding data restoration.
In our case, the vendor didn't accept all our provisions, but it agreed to many of them. The result was a contract that was far more protective of our client than the original form created by the vendor. And one thing is for sure: As SaaS spreads throughout the enterprise, IT executives need to be aware of possible vendor contract pitfalls.
Matt Karlyn, J.D., M.B.A., is a member of Foley & Lardner LLP's Information Technology & Outsourcing Practice Group in Boston. Write to him at email@example.com.